The same should apply to your technical assets. If your workstations don’t need to talk directly to your servers, then don’t let them. Segment your networks and apply firewall rules to explicitly allow only those machines and services that need to “talk.” This not only helps to reduce the scope of your risk, but it also limits the amount of damage an attacker could do if he or she were able to get into the network.
How is it that cybersecurity spending is increasing but breaches are still happening?
Just because one is investing money doesn’t mean they will see a return on investment. I think this is the case in our industry. Investment in products is going up, up, up, but where’s the ROI? It’s really no different than the stock market. Buyers have to do their homework and make sure they’re making wise investments with their cybersecurity budget. I would also argue that, just as in the financial services industry, it may make sense for organizations to partner with a trusted security advisor (much akin to a fiduciary for investors).
Do you need a college degree or certification to be a cybersecurity professional?
Need? No. But getting a certification not only shows me that you can jump the hurdle, it also shows me that you can apply yourself. I think similarly for a college degree. In addition to showing your ability to stick with something until the end, generally you’ll come out of college with above-par written communication skills, which are extremely important in technology.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I got started in the field by going to school for it. I grew up tinkering on PCs but also had an affinity for working on cars (my dad was a mechanic). One day, I told my dad that I wanted to be a mechanic, and his advice was to go into computers instead, so I took the advice. In high school, I took as many computer courses as I could; then I went straight into a technical college to work on my bachelor’s in network security and forensics.
During my time in school, I got a full-time job and switched my school schedule to nights. So I worked eight hours a day, then went to school for three to four hours at night until I graduated.
My advice would be to enroll in a program at your local community college, find as many local tech meetups as possible, and start networking. Start a personal blog where you document your tinkering and research. Don’t be afraid to jump into things that you think you aren’t qualified for. Always apply for the job, give it your best shot, and never sell yourself short.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I’m not sure I have a specialty. I really enjoy analyzing the current security programs of organizations and laying out a blueprint to make things better.
I suppose if I had to pick a specialty, it would be the ability to leverage the technology that organizations already own and greatly increase their security posture. I cut my teeth at the Department of Defense, where the majority of our security came from how we configured our machines and the policies and procedures we wrapped around everything we did.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Well, I’ve done all three. First, getting a job is easy, but getting a job you actually want is hard. Read some books on negotiation, understand how to pick up on social cues, and understand that interviews are really a conversation, not a deposition.
If you show your curiosity and dedication to learn, as well as being able to subtly move the conversation in the way you want, you should have no issue getting a job.
Second, climbing the corporate ladder takes some finesse. You need to understand how to tell someone they are wrong without telling them they are wrong. You will have to suck it up and take responsibility for issues you didn’t cause, and you’ll definitely have to pick your battles. Show that you’re always willing to help solve the problem, but don’t let the organization take advantage of your time either. Finally, but perhaps most importantly, make it clear to your superiors that you want to elevate your career within the company. Make your ambitions known and ask for a plan for how to achieve your goals.
Third, starting a company is not easy, and running a company is even more difficult. Make sure you have enough financial runway to cover your expenses for a full year. Whether you take funding or save it up yourself, this is important. Also, make sure there’s a market for what you are going to offer, and make sure the market is not saturated. Finally, understand that you are absolutely going to need someone to do sales and someone to do marketing. If this is you, great! Just make sure you’re ready for long days and long nights. If you can handle all that, then go for it! As they say, “It’s better to fly and fall than to never fly at all.”
What qualities do you believe all highly successful cybersecurity professionals share?
Curiosity. Perseverance. Determination.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
It’s gotta be something by M. Night Shyamalan. Once you think you’ve got it all figured out…bam, you get hit with a twist you never saw coming. Just put that on repeat and that, in a nutshell, is cybersecurity.
What is your favorite hacker movie?
The Imitation Game. Not your traditional “hacker movie,” but it’s a great film.
What are your favorite books for motivation, personal development, or enjoyment?
I’ve gotta be honest, I don’t read many “personal development” books or books in general. The only time I actually read is when I’m on a plane, and then it’s usually whatever Amazon Prime is giving away for free. I’ve never read a book twice. If I had to name a favorite book, I suppose it would be Rework.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Be suspicious, seek out your own truth, stay vigilant. Practical advice for the home user in no particular order: don’t run as local admin, keep your machines up to date with patches and antivirus definitions, use an ad blocker, set a strong WPA2 password on your Wi-Fi, set your DNS servers to ones that filter malicious domains such as Quad9, and use a password manager such as LastPass.
If you can get away with running Chromebooks for at least some of your family, go with that instead of a full-blown Mac or Windows machine. There’s less attack surface, and they are easy to maintain.
What is a life hack that you’d like to share?
Use technology to limit your access to work. Work-life balance is important, so if you can’t manage that on your own, use technology to do it. Set do-not-disturb times, don’t sync work emails between certain hours, and so on.
Work will always be there, and there will always be more work to do. You will never be done with work, so don’t let it stress you out.
What is the biggest mistake you’ve ever made, and how did you recover from it?
I’ve made a lot of mistakes in my career, but the one I felt the worst about was when I brought down our production SAN. I was trying to do the right thing and keep all of our machines patched and up to date. I got the firmware from vendor support and confirmed with the vendor that the firmware was the correct one. I applied the patch during the scheduled maintenance time, and it needed to reboot to apply the firmware update. The thing is…it never came back up. Our public-facing websites and web apps were running off of that SAN, and I brought them all down.
I recovered by working with the vendor until it was fixed. That meant a couple of late nights, but I took responsibility and made sure that I saw the issue to resolution. ■
9
Lesley Carhart
“Take time to understand the risks and threats you face. It may not be beneficial for every organization to know which specific countries or criminal organizations are targeting them, but every organization should know what their “worst possible day” looks li
ke.”
Twitter: @hacks4pancakes • Website: tisiphone.net
Lesley Carhart (GCIH, GREM, GCFA, GPEN, B.S. Network Technologies, DePaul University) is an 18-year IT industry veteran, including 9 years in information security (specifically, digital forensics and incident response). She speaks and writes about digital forensics and incident response, OSINT, and information security careers. She is highly involved in the Chicagoland information security community and is staff at Circle City Con in Indianapolis. Lesley is currently the principal threat hunter at Dragos, Inc. In her free time, she studies three martial arts, is a competitive pistol marksman, and is generally an all-around huge geek.
If there is one myth that you could debunk in cybersecurity, what would it be?
The organizations we work with are rarely in the business of security. We are security professionals providing a service to organizations with their own missions. The sooner we understand that, the sooner we can stop asking counterproductive questions such as “Why don’t you just…” regarding IT decisions. A good security professional studies the technical minutiae of their niche. A great security professional also studies business operations and assists their senior leadership in making pragmatic risk decisions that balance operations and security.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Take time to understand the risks and threats you face. It may not be beneficial for every organization to know which specific countries or criminal organizations are targeting them, but every organization should know what their “worst possible day” looks like. Is it not being able to conduct transactions? Theft of sensitive information? Inability to perform a physical function?
Once an organization identifies and quantifies risks and the assets associated with their key functions, it becomes inherently easier to identify potential causes of a critically impactful incident. Consequently, the organization will be better prepared to appropriately mitigate risk and spend security resources sensibly.
How is it that cybersecurity spending is increasing but breaches are still happening?
Security vendors are great at marketing individual products as panaceas, and the crucial concept of “defense in depth” is not reaching senior leadership. Adversaries will always improve their tactics to compensate for emerging security technologies. The only real defense is a layered approach, combining security products, risk management, sensible policies and procedures, proper disaster recovery planning, and human expertise. There is no single silver bullet.
Do you need a college degree or certification to be a cybersecurity professional?
You don’t need a college degree or certification, but it can certainly help boost your career from an HR perspective. There are many possible paths to becoming a successful professional in the cybersecurity field. Studying hard, getting a four-year degree, and then applying for entry-level positions is a fairly common one. Degrees and credible certifications can also help later in one’s career while pursuing promotion to management, academic, or senior leadership positions.
Unfortunately, at the time of this writing, I have seen few cybersecurity-specific degree programs that produce well-rounded security professionals. While degrees are a great tool for learning fundamentals, clearing HR hurdles, and increasing promotion potential, I would strongly caution against assuming they will teach all of the skills needed to succeed in the field (or even to clear technical interviews). Self-study and community participation are still crucial to success.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I honestly avoid telling my origin story because I got an unusually early start in security, so I fit a stereotype that’s not a realistic representation of most security professionals. I started coding around age 8 and was hired as a developer at 15. I quickly realized that I didn’t particularly enjoy professional coding as much as security, and got involved in my local hacking community. I will note that getting into the niche of digital forensics specifically was a much longer and harder battle for me because of the specialized, expensive tools used in the field.
If I could give one piece of advice to every person considering a career in security, it would be this: try to figure out what, in general, you want to do. There are many different roles in cybersecurity—from “red team” penetration testing to “blue team” malware reverse engineering. They require fairly different personalities and skill sets. When you come up to a security professional seeking mentorship, the first question most of us ask is, “What do you want to do?” We aren’t asking you to decide your entire future career, or even name a specific role, but it helps us a lot to understand what general areas of security you find interesting. Eventually, you’ll need to focus on one or two. Some of this decision will be aided by working in an entry-level role that offers exposure to a variety of hands-on tasks. However, you can glean a lot about various security roles by watching conference talks and trying out “capture the flag”–type exercises at home.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
My specialty is digital forensics and incident response, specifically in response to targeted attacks. I investigate incidents of human intrusion into networks—often state-sponsored actors.
This entails collecting system, network, and malware forensic evidence; processing it or routing it to specialist teams; creating detailed timelines of attacker activity; coordinating incident response activity across security and business teams; and then producing a comprehensive report that explains what happened, when, how it happened, and how similar activity can be prevented in the future.
Does this type of detailed detective work appeal to you? I suggest getting your start as an analyst in a security operations center where you’ll gain exposure to the many different niches of security we utilize and coordinate during incident response. You’ll want to beef up on disk, network, and memory forensics; live and static malware analysis; and trawl gigabytes of logs.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Get out there, get involved, and network! The broader security community may have its foibles, but most people are willing to help you if you’re willing to put forth effort. If you have trouble interacting with people, it’s well worth your time to try to improve your interpersonal skills. Take an improv class or join Toastmasters. I’ve seen numerous intelligent security people repeatedly fail to get hired because of poor interview or résumé-writing skills.
What qualities do you believe all highly successful cybersecurity professionals share?
An intense desire to learn about how all sorts of things work, and a talent for thinking outside the box and seeking out unusual solutions to problems.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
If you really want to delve into the murky world of advanced adversaries, I’d recommend Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon by Kim Zetter, Dark Territory: The Secret History of Cyber War by Fred Kaplan, and 21st Century Chinese Cyberwarfare by Lieutenant Colonel William Hagestad.
What is your favorite hacker movie?
Oh, man. So many fictional movies I love that are ostensibly about hacking really have little to do with hacking at all. If you enjoy documentaries, The KGB, the Computer, and Me is a fascinating story, albeit one told better in the book The Cuckoo’s Egg. In terms of fiction, I still love the movie Sneakers.
There are a number of recent TV shows that have represented hacking and hacking culture far better than films, such as Mr. Robot and Halt and Catch Fire.
What are your favorite books for motivation, personal development, or enjoyment?
I have a particular fondness for Isaac A
simov, particularly his Susan Calvin stories. Asimov envisioned futures that weren’t specifically dystopian or utopian but rather reflected realistic ethical and scientific dilemmas. Artificially intelligent humanoid robots in everyday homes may still be science fiction, but the complex dilemmas and conflicts Asimov posed in his stories are often not far-flung from ones we face in the second decade of the 21st century.
Currently, my top picks for digital forensics and incident response technical reading are Practical Malware Analysis by Michael Sikorski and Andrew Honig, Windows Registry Forensics by Harlan Carvey, and The Art of Memory Forensics by Michael Hale Ligh et al.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Consider how badly you need or want these devices and segment them from your computer network as much as possible. Most modern wireless routers allow the simultaneous broadcast of guest and private network SSIDs. Another solution is installing two routers with independent wireless networks and firewalls enabled. Keep those smart light bulbs and media players off the network you do your taxes on, and make sure they remain behind a firewall!
What is a life hack that you’d like to share?
Let’s talk about body language! When you’re speaking to somebody who is standing up, glance at their feet. If you’re engaging them and they want to talk to you, their feet will usually be pointed toward you. If their feet are pointing toward an exit, you’re either losing their interest or have already lost it. Time to let them go, or consider why you’re losing them! If you want to show interest in a conversation, maintain polite eye contact and make sure your feet are facing toward the person or people you’re talking to.
In many Western cultures, standing with legs apart and arms uncrossed comes off as more aggressive, while crossing one’s arms, looking down, and keeping the legs close together comes off as more defensive and deferential. Keep these nonverbal cues in mind when having a conversation, and try to balance them to keep the conversation comfortable.
Tribe of Hackers Page 6
